How to run iptables insert command on linux box as non root user?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Hello


I need to run IPTABLES on a linux box from a CGI on apache web server, but i need to run as apache user, not as root user, to avoid a secure vulnerability over the apache web server.


Do i need to recompile iptables or the kernel ?

Someone has done it before ?

Thanks for your comments.


Ing. Israel Zavalza Bahena Technology Strategic Manager of INTERTIENDAS Network Center








From: netfilter-request@xxxxxxxxxxxxxxxxxxx
Reply-To: netfilter@xxxxxxxxxxxxxxxxxxx
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: netfilter digest, Vol 1 #872 - 10 msgs
Date: Fri, 30 May 2003 22:40:16 +0200

Send netfilter mailing list submissions to
	netfilter@xxxxxxxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.netfilter.org/mailman/listinfo/netfilter
or, via email, send a message with subject or body 'help' to
	netfilter-request@xxxxxxxxxxxxxxxxxxx

You can reach the person managing the list at
	netfilter-admin@xxxxxxxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of netfilter digest..."


Today's Topics:


1. Need some clarity (Michael Carroll)
2. Skipping connection tracking for certain traffic types? (Ville Mattila)
3. Usage of netfilter (Aditya Bhasin)
4. A problem - connections dies (Peter Pohlmann)
5. vpn between networks with private ip network segment conflicts (dtrott@xxxxxxxxxxxxx)
6. RE: upgrade to iptabels from ipchains (John Friel III)
7. Re: SOLVED : Re: where is libipt_match.so? (David T-G)
8. RE: upgrade to iptables from ipchains (John Friel III)
9. iptables/conntrack in enterprise environment. (Preston A. Elder)
10. Re: [netfilter-core] iptables/conntrack in enterprise environment. (Preston A. Elder)


--__--__--

Message: 1
Date: Tue, 27 May 2003 14:45:54 -0400
From: Michael Carroll <ingenious@xxxxxxxx>
To:  netfilter@xxxxxxxxxxxxxxxxxxx
Subject: Need some clarity

Hello netfilter development crew,

I have a couple, probably straight foreward questions, but I don't know
the answers to and would like to just to clear things up a little bit.

# Generated by iptables-save v1.2.7a on Tue Apr 15 14:25:35 2003
*nat
:PREROUTING ACCEPT [7595:344053]
:POSTROUTING ACCEPT [80:4556]
:OUTPUT ACCEPT [63:3755]
COMMIT

That is what is generated when I first do an 'iptables-save > /dir' now
I was wondering what all the numbers inside those brackets stood for,
because when I start to add rules to them those numbers start to change.
They also add the user defined rules just before the COMMIT.  Does it
matter in how you type out you iptables rules, like you should DROP
everything first, then start to 'open' ports up correct?  Also one other
thing what does the COMMIT mean?

Thank you in advance.

Michael Carroll




--__--__--


Message: 2
Date: Tue, 27 May 2003 22:49:56 +0300 (EET DST)
From: Ville Mattila <vm@xxxxxx>
To: netfilter@xxxxxxxxxxxxxxxxxxx
cc: Ville Mattila <vm@xxxxxx>
Subject: Skipping connection tracking for certain traffic types?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,


Correct me on this if I'm wrong: It is a feature of Netfilter that whenever conntrack is registered in kernel, then for example any UDP packet passing through the firewall causes the state table to be consulted resulting in either update of an old state entry if found or creation of a new state.

Now if the description above holds we have a slight problem.

At our site, connection tracking would be the nice way to
handle the classic case of allowing responses to UDP
requests initating from our internal network. The problem
is that in the internal network there are several standalone
(a.k.a. non-forwarding) caching nameservers sending about 100
dns queries per second through the firewall in the worst case.
For us the default ip_conntrack_proto_udp.c timeout setting
of 30 seconds for unreplied UDP requests and 180 seconds
for assured streams could mean from 3 000 up to 18 000 state
entries for these dns requests alone.

This problem would be solved if it was possible with
Netfilter/iptables to skip connection tracking for some
rules (servers sending dns queries and replies to them in
our case), or better yet, not to track every connection by
default but only when requested per rule. Is this kind
of selective connection tracking possible already or will
it possibly become supported in future conntrack versions?


Best regards, Ville

- --
Mr. Ville Mattila, vm@xxxxxx, http://iki.fi/vm/

-----BEGIN PGP SIGNATURE-----

iD8DBQE+08FytUJlHUfTfMERAoqUAJ9IVa+SDTSH0RBpw62MQennyu2LfACgtbG0
xlVPrOV87drR5C4KidXjOgI=
=Me43
-----END PGP SIGNATURE-----


--__--__--


Message: 3
From: "Aditya Bhasin" <aditya.bhasin@xxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Subject: Usage of netfilter
Date: Tue, 27 May 2003 15:17:15 -0700

This is a multi-part message in MIME format.

------=_NextPart_000_00D2_01C32463.0E9C9190
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hi,

is it possbile using netfilter and libipq to extract a packet from the
IPV4 stream, buffer it in the user space and then put the packet back on
the outgoing stream at a later point in time.

All the docs and examples I have looked at seem to read in a packet do
an operation on it and then announce a verdit on the packet.

Are there APIs to insert packets into the queue which have not been read
from it. If that was allowed I could copy and reject initially and then
insert again at a later point in time.


thanks,


aditya


------=_NextPart_000_00D2_01C32463.0E9C9190 Content-Type: text/html; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>

<META content=3D"MSHTML 6.00.2726.2500" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003>Hi,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>is it =
possbile using=20
netfilter and libipq to extract a packet from the IPV4 stream, buffer it =
in the=20
user space and then put the packet back on the outgoing stream at a =
later point=20
in time.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>All =
the docs and=20
examples I have looked at seem to read in a packet do an operation on it =
and=20
then announce&nbsp;a verdit on the packet. </SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>Are =
there APIs to=20
insert packets into the queue which have not been read from it. If that =
was=20
allowed I could copy and reject initially and then insert again at a =
later point=20
in time.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003>thanks,</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D628311322-27052003>aditya =

</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D628311322-27052003></SPAN></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_00D2_01C32463.0E9C9190--



--__--__--

Message: 4
From: "Peter Pohlmann" <peter@xxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Subject: A problem - connections dies
Date: Tue, 27 May 2003 16:37:33 -0400

This is a multi-part message in MIME format.

------=_NextPart_000_0058_01C3246E.45EBF540
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Hello list,

I have a problem with my masquerading.=20
Can someone supply me a basic configuration. I want to have the private =
network
open for everything.=20

The current rules are below. Works for pop ,http etc. But ftp is not =
proper and connecting to an outside=20
smtp server is a problem too. I can send very small emails but if some =
larger email or attachment it stops after transferring some kbs.  What =
am I missing here ?  The server is redhat 9 pppoe to the dsl modem.

#!/bin/sh

modprobe ip_conntrack_ftp
modprobe iptable_nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

echo 1 >/proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/ip_dynaddr

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS =
--clamp-mss-to-pmtu

Thank you in advance,
Peter




------=_NextPart_000_0058_01C3246E.45EBF540 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2719.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>Hello list,</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>I have a problem with my masquerading. </FONT></DIV>
<DIV><FONT size=3D2>Can someone supply me a basic configuration. I want =
to have=20
the private network</FONT></DIV>
<DIV><FONT size=3D2>open for everything. </FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>The current rules are below. Works for pop ,http =
etc. But ftp=20
is not proper and connecting to an outside </FONT></DIV>
<DIV><FONT size=3D2>smtp server is a problem too. I can send very small =
emails but=20
if some larger email or attachment it stops after transferring some =
kbs.&nbsp;=20
What am I missing here ?&nbsp; The server is redhat 9 pppoe to the dsl=20
modem.</FONT></DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2>#!/bin/sh</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>modprobe ip_conntrack_ftp<BR>modprobe =
iptable_nat</FONT></DIV>
<DIV><FONT size=3D2>iptables -P INPUT ACCEPT<BR>iptables -P OUTPUT=20
ACCEPT<BR>iptables -P FORWARD ACCEPT</FONT></DIV><FONT size=3D2>
<DIV><BR>echo 1 &gt;/proc/sys/net/ipv4/ip_forward<BR>echo 1=20
&gt;/proc/sys/net/ipv4/ip_dynaddr</DIV>
<DIV>&nbsp;</DIV>
<DIV>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE<BR>iptables -A =
FORWARD=20
-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</DIV>
<DIV>&nbsp;</DIV>
<DIV>Thank you in advance,</DIV>
<DIV>Peter</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>&nbsp;</DIV></FONT></BODY></HTML>

------=_NextPart_000_0058_01C3246E.45EBF540--



--__--__--

Message: 5
Date: Wed, 28 May 2003 01:32:20 -0700
From: <dtrott@xxxxxxxxxxxxx>
To: drew.einhorn@xxxxxxxxxxxx
Cc: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: vpn between networks with private ip network segment conflicts

If:
- You Don't need to access the whole remote network
  (just a limited number of servers)
- Those servers don't clash with anything on your local network
  or its not too painful to move one or two hosts
  so they don't clash.

You may be able to kludge it with some proxy arping.

You will need to have:
- Both routers on non clashing addresses.
- Both routers proxy arp for the other one.
- Your local router will have to proxy arp for all the
  servers you wish to access.
- You will need to SNAT all outgoing VPN traffic to your
  local routers IP (to avoid conflicts on the remote lan).

Reverse local and remote for access in the oposite direction.

Note: I have not tested all this together, the closest I
have tried is:

My home network uses:

10.1.100.0/24

My work network uses:

10.1.0.0/16

I proxy arp the subnet on the router at work, but my home router doesn't
need to proxy arp or SNAT because the netmask is smaller and there are no
conflicts on the work LAN.


This will save you having to mess with the DNS, but to be honest I think the least painful route (in the long run) is just to re-number one of the networks.

This is especially true if you are planing to do anthing with
MS networking, because MS networking really doesn't like NAT.


David



PS If bi-directional access is not required you may be able to SNAT to a virtual IP (per some of the other posts), this will save the remote router from needing to proxy arp.


Drew Einhorn Wrote: > My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc. > So does the remote network I need to vpn to (probably using some flavor > of pptp). > > Is there an odd nat variant that will solve this problem. > Probably need to do some kind of dns transformation on each side.

> Is there any easy solution.  Perhaps it would be easier (but not easy)
> to get the network segments renumbered on one end or the other.
>
> --
> Drew Einhorn <drew.einhorn@xxxxxxxxxxxx>



--__--__--

Message: 6
From: John Friel III <john@xxxxxxxxxxxx>
To: "'netfilter@xxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxx>
Cc: =?iso-8859-1?Q?=27Leonardo_Rodrigues_Magalh=E3es=27?= <leolistas@xxxxxxxxxxxxxx>
Subject: RE: upgrade to iptabels from ipchains
Date: Wed, 28 May 2003 13:31:43 -0500


>     would became this in iptables
>
> iptables -N soporte
> iptables -A soporte -s 10.0.1.1 -j ACCEPT
> iptables -A soporte -j DROP
> iptables -A FORWARD -s 10.0.0.0/25 -j soporte
> iptables -t nat -A POSTROUTING -s 10.0.1.1 -j MASQUERADE

And it should be noted that with these rules in place, all packets that get
forwarded to the soporte chain will get DROPPED because the forward rule
only forwards IP's in the range of 10.0.0.0-10.0.0.127 and the accept range
is restricted to -only- IP 10.0.1.1.

The 4th rule should be:

iptables -A FORWARD -s 10.0.0.0/16 -j soporte




Cheers! John Friel III Frieltek Consulting, Inc.


--__--__--


Message: 7
Date: Thu, 29 May 2003 01:08:22 -0400
From: David T-G <davidtg@xxxxxxxxxxxxxxx>
To: NetFilter Users' List <netfilter@xxxxxxxxxxxxxxxxxxx>
Cc: George Vieira <georgev@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: SOLVED : Re: where is libipt_match.so?


--RD6GsZsdEJvsf78O Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable

George --

=2E..and then George Vieira said...
%=20
% no no no.. you've forgotten also the --state before mentioning the
% states your checking..

Ahhh...


%=20 %=20 % *george searches his scripts* %=20 % See.... as below.. % $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Well, this seems to work and not cause any errors, so it's good enough
for me :-)


%=20 % Thanks,


Thank *you*!


:-D
--=20
David T-G * There is too much animal courage in=20
(play) davidtg@xxxxxxxxxxxxxxx * society and not sufficient moral courage.
(work) davidtgwork@xxxxxxxxxxxxxxx -- Mary Baker Eddy, "Science and Health"
http://justpickone.org/davidtg/ Shpx gur Pbzzhavpngvbaf Qrprapl Npg!



--RD6GsZsdEJvsf78O Content-Type: application/pgp-signature Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE+1ZXGGb7uCXufRwARAts7AJ48YyvICTtRce1iBuZDQAlGJ5gpxACeKKAn
yIZfP04BuE1EdMkZZOn/EP0=
=FHFS
-----END PGP SIGNATURE-----

--RD6GsZsdEJvsf78O--


--__--__--


Message: 8
From: John Friel III <john@xxxxxxxxxxxx>
To: "'netfilter@xxxxxxxxxxxxxxx'" <netfilter@xxxxxxxxxxxxxxx>
Cc: =?iso-8859-1?Q?=27Leonardo_Rodrigues_Magalh=E3es=27?= <leolistas@xxxxxxxxxxxxxx>
Subject: RE: upgrade to iptables from ipchains
Date: Wed, 28 May 2003 13:37:33 -0500


>     would became this in iptables
>
> iptables -N soporte
> iptables -A soporte -s 10.0.1.1 -j ACCEPT
> iptables -A soporte -j DROP
> iptables -A FORWARD -s 10.0.0.0/25 -j soporte
> iptables -t nat -A POSTROUTING -s 10.0.1.1 -j MASQUERADE

And it should be noted that with these rules in place, all packets that get
forwarded to the soporte chain will get DROPPED because the forward rule
only forwards IP's in the range of 10.0.0.0-10.0.0.127 and the accept range
is restricted to -only- IP 10.0.1.1.

The 4th rule should be:

iptables -A FORWARD -s 10.0.0.0/16 -j soporte




Cheers! John Friel III Frieltek Consulting, Inc.


--__--__--


Message: 9
From: "Preston A. Elder" <prez@xxxxxxxxxxxxx>
Organization: Shadow Realm
To: netfilter@xxxxxxxxxxxxxxxxxxx,
	netfilter-devel@xxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx
Subject: iptables/conntrack in enterprise environment.
Date: Thu, 29 May 2003 01:13:47 -0400

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am in an enterprise environment and I'm having some problems with conntra=
ck=20
specifically.


We have a system that acts as a router, however any new inbound connection =
for=20
any machine behind this router is re-directed to a specific port on the loc=
al=20
machine, where an application responds as if it were the system behind the=
=20
router. These systems experience some very high volumes of traffic=20
(sustaining over 30mbit of traffic). Heres a breakdown of TCP socket=20
connections by status at one particular point in time:
ESTABLISHED : 1363
LAST_ACK : 27
TIME_WAIT : 616
=46IN_WAIT2 : 8
=46IN_WAIT1 : 140
SYN_RECV : 6188
CLOSE_WAIT : 365
LISTEN : 3
CLOSING : 5


We have multiple systems performing this task (essentially for load balanci=
ng=20
and to remove a single point of faulure). The systems are dual 1ghz pentiu=
m=20
3's, with 1-2gb of ram, so they're not shy systems. They're running 2.4.20=
=20
kernels (mostly vanilla) with iptables 1.2.7a.


Here are some system limits I am tweaking (ie. the commands to do the=20
tweaking):
echo 1 >/proc/sys/net/ip_forward
echo 524280 >/proc/sys/fs/file-max
echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max
echo 65535 >/proc/sys/net/ipv4/ip_queue_maxlen
echo 65535 >/proc/sys/net/ipv4/tcp_max_syn_backlog
# NONE EST SYN_S SYN_R FIN_W TIME_W CLOSE CLOSE_W LAST_=
A =20
LISTEN
echo "1800 21600 120 60 30 30 10 30 30 =
=20
120 " > /proc/sys/net/ipv4/ip_conntrack_tcp_timeouts
ulimit -H -n 524280
ulimit -S -n 524280
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS=20
=2D --clamp-mss-to-pmt



Because every new connection to one of the systems 'behind' these systems n=
eed=20
to be re-directed to a local port, which is achieved with the command:
/sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range>=20
=2D --destination-port 1024:65535 --to-destination <local_ip>:<local_port>


Every inbound connection incurs an entry in the connection tracking table. =
It=20
seems, however, that we may be overloading the conntrack system. I can=20
telnet to a different port listening on a secondary (internal) interface (b=
ut=20
the same application), that bypasses the above rule, and get an immediate=20
connection, however establishing a connection 'to' a server behind this=20
router can take a number of seconds, and sometimes may never establish. =20
Whats more connecting directly to the port everything else is being=20
re-directed to via. the 'public' interface itself can take some time (thoug=
h=20
not as long as connecting 'to' a system behind this box).


The conntrack table itself very quickly grows - but it does not clean itsel=
f=20
up when the connection itself dissapears, instead it waits for some=20
pre-determined timeout value, which means even though, as shown above, the=
=20
number of connections in-progress (one way or another) is about 8000=20
connections, the conntrack table is absolutely huge (hundreds of thousands =
of=20
entries), and as time goes on, the larger it gets. To try to combat this,=
=20
I've reduced the biggest timer (how long an established connection stays in=
=20
conntrack) from 5 days to 6 hours (all the connections we have are, and=20
should be, short lived, so that is plenty of time). This helps a bit,=20
however I'm still at a loss to try to understand why conntrack does not cle=
an=20
itself up when the connection gets closed.


Of course, seeing how big the conntrack table is, itself, impacts the syste=
m=20
dramatically. The 'wc -l /proc/net/ip_conntrack' command takes a long time=
=20
to run, and brings the 'active' processing to its knees while doing this.=20
=2D From all appearances, it appears conntrack is hamstringing us. It appe=
ars it=20
is not able to properly handle large-traffic systems, especially where=20
essentially every connection going through the system is nat'd.


I'd appreciate ANY help or thoughts on how to remedy this issue, as I have=
=20
said, this is in use in an enterprise environment (which of course, means I=
=20
cannot divulge the purpose of the application I mentioned earlier (however=
=20
all you really need to know is the application does not really know (or car=
e)=20
weather the connection to it is nat'd, and just uses it as a standard socke=
t=20
connection), however I can give details on the system/kernel/netfilter=20
configuration as necessary, just let me know what further information you=20
require).


I thank you in advance, and apologise for mailing all 3 lists, however I=20
figured someone on ONE of these lists would have an idea or a suggestion.

=2D --=20
PreZ
Systems Administrator
Shadow Realm

PGP FingerPrint: B3 0C F3 32 DE 5A 7D 90  26 F6 FA 38 CC 0A 2D D8
=46inger prez@xxxxxxxxxxxxx for full PGP public key.

Shadow Realm, a hobbyist ISP supplying real internet services.
http://www.srealm.net.au
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+1ZcVKFp14D8AGEQRAh4jAJ9mhilrpVsDvakS03re/HsT1jcXcwCcDqFT
nHqa0y2UPb9s5JgRsGIhP8o=3D
=3DbmA5
=2D----END PGP SIGNATURE-----



--__--__--

Message: 10
From: "Preston A. Elder" <prez@xxxxxxxxxxxxx>
Organization: Shadow Realm
To: Harald Welte <laforge@xxxxxxxxxxxxx>
Subject: Re: [netfilter-core] iptables/conntrack in enterprise environment.
Date: Thu, 29 May 2003 08:09:52 -0400
Cc: netfilter@xxxxxxxxxxxxxxxxxxx,
	netfilter-devel@xxxxxxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 29 May 2003 04:39 am, Harald Welte wrote:
> On Thu, May 29, 2003 at 01:13:47AM -0400, Preston A. Elder wrote:
> > Hi,
> >
> > I am in an enterprise environment and I'm having some problems with
> > conntrack specifically.
> >
> > They're running 2.4.20 kernels (mostly vanilla) with iptables 1.2.7a.
>
> Do not use 2.4.20 if you want to use connection tracking. 2.4.20
> connection tracking is totally broken due to a change introduced in the
> core kernel.
>
> Please do always use patch-o-matic from CVS. The patch you want to
> apply for fixing this bug is 10_confirm_fix.patch
This patch was applied already. Infact, I'm using Gentoo (but using the=20
'vanilla' kernel from gentoo, so its not got every patch under the sun), an=
d=20
I specifically picked out and applied the followint patches:
018_gcc31-compile-optimizations
021_ecc-20020904
701_iptables-20_iptables-proc
702_iptables-24_conntrack-nosysctl
722_iptables-tcplimit
724_iptables-u32
741_iptables-ip_conntrack_find
742_iptables-ip_ct_refresh_optimization
744_iptables-03_ip_conntrack_proto_tcp-lockfix
747_iptables-06_ftp-conntrack-msg-fix
748_iptables-07_ECN-tcpchecksum-littleendian-fix
752_iptables-10_confirm_fix
753_iptables-10_local-nat-expectfn
759_iptables-24_conntrack-modify-after-free-fix
760_iptables-25_ip_tables-comment-fix
766_iptables-33_ipqueue_memoryleak
764_iptables-31_nat_parse_fix
770_iptables-ip_conntrack-timeouts
900_quick-fixes
902_minor_fixes


Please let me know if you think one is missing I should try.

> Also, considering
>
> > echo 524280 >/proc/sys/net/ipv4/ip_conntrack_max
>
> without using a larger hash size (modprobe ip_conntrack hashsize=3Dfoo,
> wherer foo should be a prime number and in the range of 524280/2)
I'll try this and report back.

> > to be re-directed to a local port, which is achieved with the command:
> > /sbin/iptables -t nat -A PREROUTING -j DNAT -i eth0 -p tcp -d <ip-range>
> > - --destination-port 1024:65535 --to-destination <local_ip>:<local_port>
> >
> > Every inbound connection incurs an entry in the connection tracking
> > table. It seems, however, that we may be overloading the conntrack
> > system.
>
> I've seen systems with way more conntrack entries and higher bandwith.
> Using NAT however, might have a big performance impact.
Well, this system itself isn't doing 'nat', however, by implication, the ab=
ove=20
rule makes every connection nat'd.


> > The conntrack table itself very quickly grows - but it does not clean
> > itself up when the connection itself dissapears, instead it waits for
> > some pre-determined timeout value,
>
> With a non-broken kernel it is 2 minutes, that is TIME_WAIT of a TCP
> socket.
That was not my point. My point was, for up to 5 days later, the system st=
ill=20
has entries in the conntrack table (listed as 'ESTABLISHED'), which have be=
en=20
dead and gone for a long time, conntrack does not realise that connection i=
s=20
utterly closed, and it should drop its conntrack entry. I'm not as worried=
=20
about the lower-value timeouts, but as I said, I saw ALOT of established=20
connections hanging around in the conntrack table (making the conntrack tab=
le=20
about 200,000 entries long, give or take), most of which were entries for=20
connections already closed.


=2D --=20
PreZ
Systems Administrator
Shadow Realm

PGP FingerPrint: B3 0C F3 32 DE 5A 7D 90  26 F6 FA 38 CC 0A 2D D8
=46inger prez@xxxxxxxxxxxxx for full PGP public key.

Shadow Realm, a hobbyist ISP supplying real internet services.
http://www.srealm.net.au
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+1finKFp14D8AGEQRAmT5AJ48csFfxVIMJQykL5mhG7VQzx/79wCgjmQ1
drFKsTbUeJ8F0EEicWgBosQ=3D
=3DQWoJ
=2D----END PGP SIGNATURE-----




--__--__--


_______________________________________________
netfilter mailing list
netfilter@xxxxxxxxxxxxxxxxxxx
https://lists.netfilter.org/mailman/listinfo/netfilter


End of netfilter Digest

_________________________________________________________________
MSN Fotos: la forma más fácil de compartir e imprimir fotos. http://photos.msn.es/support/worldwide.aspx




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux